MFA Deactivation with no Re-Activation for Okta User Account

Last updated 5 days ago on 2024-09-23

Created 4 years ago on 2020-05-20

About

Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.

Tags

Tactic: PersistenceUse Case: Identity and Access AuditData Source: OktaDomain: Cloud

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Modify Authentication Process (T1556)(opens in a new tab or window)

False Positive Examples

If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-okta.system*
Related Integrations: okta(opens in a new tab or window)
Query

sequence by okta.actor.id with maxspan=12h
    [any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.deactivate"
        and okta.outcome.result == "SUCCESS" and not okta.client.user_agent.raw_user_agent like "SFDC-Callout*"]
    ![any where event.dataset == "okta.system" and okta.event_type == "user.mfa.factor.activate"]

Install detection rules in Elastic Security

Detect MFA Deactivation with no Re-Activation for Okta User Account in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).